Start with framing it in a business context.
- Gartner client? Log in for personalized search results.
Trade technology talk for a strategy that showcases cybersecurity value
Nearly 40% of non-executive board directors identify cyber-risk investment as having the greatest positive impact on shareholder value in 2025-2026. It follows that cybersecurity is a business decision. The problem is, it’s not often treated as one.
This is, in part, because without understanding how cybersecurity works, it’s difficult for non-IT executives to see the value of what they’re spending or decide how much is enough. A sustainable cybersecurity program that gets buy-in across the C-suite balances the value of cybersecurity against the needs of running the business.
See Gartner research in action at our CIO conferences and events.
Create cybersecurity value by treating cybersecurity as a business decision
To frame cybersecurity within a business context, move from assessing threats to managing protection levels.
Step No. 1: Reframe the conversation
Make room for your peers to articulate cybersecurity protection in terms they understand. Encourage them to use the language of cost and value concepts: How much protection do executive leaders want and how much are they prepared to spend?
Frame protection levels in the context of business drivers, such as:
Business operations. Which decisions would put the organization at higher risk?
Regulatory demands. What protection level agreements (PLAs) are acceptable to regulators?
Shareholders. Will customers and shareholders be satisfied with the organization’s cybersecurity decisions? Is the CEO prepared to defend those decisions?
Partners. Will the organization’s level of protection be sufficient to satisfy its partners’ requirements?
Cyber insurance eligibility. Cyber insurance is becoming more expensive and demanding more stringent requirements. Will the organization’s protection level be sufficient to meet these requirements?
Benchmarks. How will protection levels compare with those of other organizations?
Observable business impact. How much downtime or other material loss are security incidents causing? How can stronger or weaker PLAs change that?
Step No. 2: Choose outcome-driven metrics (ODMs)
Cybersecurity metrics are traditionally backward-looking and operational; they do not support decision making for priorities and investments. A cybersecurity ODM acts as both a protection lever and a value lever. It reflects how well an organization is protected, not how it is protected.
CIOs focused on developing cybersecurity ODMs should:
Define the control’s protection-level outcomes. Create a simple description of operational performance and desired protection benefits. Include the benefits of higher and lower protection, and how direct investment can change the outcome.
Describe value-lever trade-offs. For each control, describe the relationship between cost (investment) and value (protection level). Better protection (less risk) is typically more costly.
Define benefit outcomes. Describe measures of impact to the business.
Sharpen outcomes in a business context. Measure ODMs against supporting technologies for each business unit, operating function or department that creates business outcomes for the organization.
Step No. 3: Create PLAs with ODMs
A PLA is a business decision to invest in a measurable level of protection at a defined cost. PLAs change the nature of success and failure in cybersecurity. If a security incident occurs within the PLA’s defined tolerances, the incident is the result of a business decision, not the failure of a control.
Executives may not explicitly engage at the ODM level of a PLA, but they sign off and are responsible for the ODMs and PLAs that align to their business outcomes. Cost is critical in selecting protection levels; CIOs’ cost allocation exercises must be rigorous enough to ensure a credible, defensible reflection of costs to support good decision making.
Once the organization can measure security outcomes and align them to different parts of the business, it can develop PLAs by setting targets for ODMs and determining costs to deliver those targets. If the organization isn’t hitting its target protection levels, it can invest more money to achieve its PLA or save that money and adjust the PLA down to something it can afford.
Step No. 4: Use the CARE model as a reality check
The CARE framework guides organizations’ cybersecurity investments to ensure they remain consistent, adequate, reasonable and effective. This approach helps executives honor their fiduciary responsibility to protect the organization by answering ongoing questions.
When is cybersecurity done? It is never done, but it is stable when the organization has defined and is executing controls to hit target levels of protection.
What is the right amount of cybersecurity? Cybersecurity is a choice; the organization chooses how much cybersecurity meets the needs of key stakeholders.
How much should the CIO invest in cybersecurity? The organization’s chosen levels of protection dictate investment. If the organization hits these levels, the cost reflects the price for performance.
What should the CIO report to the board of directors? Continuously report the ODMs and discuss changes to PLAs.
How well is the organization protected? With ODMs, stakeholders always have a direct line of sight into this.
Are you a CIO or IT leader at a midsize enterprise?
See how your peers are navigating AI adoption, vendor decisions and evolving business demands — with tools tailored to your role:
Explore our resources for midsize enterprises
Check out a curated list of Gartner’s most popular research being utilized by your peers
Cybersecurity value FAQs
What is the value of cybersecurity?
The value of cybersecurity lies in its ability to protect and enable business operations, drive strategic investments, enhance stakeholder confidence, and ensure compliance with regulations. By framing cybersecurity as a critical component of business strategy, organizations can better articulate its value to executives and stakeholders.
Who is liable in the case of a cybersecurity breach?
In the event of a cybersecurity breach, liability can involve multiple parties, including the CISO, the board of directors and the organization itself, depending on the circumstances surrounding the breach and the adequacy of the cybersecurity measures in place.
Attend a Conference
Experience CIO and IT Executive conferences
With exclusive insight from Gartner experts on the latest trends, sessions curated for your role and unmatched peer networking, Gartner conferences help you accelerate your priorities.
22 – 24 Sep 2025
Gartner CIO & IT Executive Conference
São Paulo, Brazil
Drive stronger performance on your mission-critical priorities.